feat(provider/big_query_source): use correct inline structure for service account keys

cysp · cysp · commit eb5ed584c6d0 · 2025-09-03T22:11:41.000+10:00
diff --git a/docs/resources/big_query_source.md b/docs/resources/big_query_source.md
@@ -56,7 +56,19 @@ Required:
 
 Optional:
 
-- `service_account_key` (String, Sensitive)
+- `service_account_key` (Attributes) (see [below for nested schema](#nestedatt--credentials--service_account_key))
+
+<a id="nestedatt--credentials--service_account_key"></a>
+### Nested Schema for `credentials.service_account_key`
+
+Required:
+
+- `client_email` (String)
+- `client_id` (String)
+- `private_key` (String, Sensitive)
+- `private_key_id` (String)
+- `project_id` (String)
+
 
 
 <a id="nestedatt--connection_details"></a>
diff --git a/internal/provider/big_query_source_model.go b/internal/provider/big_query_source_model.go
@@ -17,9 +17,17 @@ type BigQuerySourceModel struct {
 
 //nolint:recvcheck
 type BigQuerySourceCredentials struct {
-	ProjectID         types.String `tfsdk:"project_id"`
-	Location          types.String `tfsdk:"location"`
-	ServiceAccountKey types.String `tfsdk:"service_account_key"`
+	ProjectID         types.String                                            `tfsdk:"project_id"`
+	Location          types.String                                            `tfsdk:"location"`
+	ServiceAccountKey TypedObject[BigQuerySourceCredentialsServiceAccountKey] `tfsdk:"service_account_key"`
+}
+
+type BigQuerySourceCredentialsServiceAccountKey struct {
+	ProjectID    types.String `tfsdk:"project_id"`
+	PrivateKeyID types.String `tfsdk:"private_key_id"`
+	PrivateKey   types.String `tfsdk:"private_key"`
+	ClientEmail  types.String `tfsdk:"client_email"`
+	ClientID     types.String `tfsdk:"client_id"`
 }
 
 type BigQuerySourceConnectionDetails struct {
diff --git a/internal/provider/big_query_source_model_request.go b/internal/provider/big_query_source_model_request.go
@@ -63,11 +63,35 @@ func (c BigQuerySourceCredentials) Encode(enc *jx.Encoder) {
 			e.Str(c.Location.ValueString())
 		})
 
-		serviceAccountKey := c.ServiceAccountKey.ValueString()
-		if serviceAccountKey != "" {
+		serviceAccountKey, serviceAccountKeyOk := c.ServiceAccountKey.GetValue()
+		if serviceAccountKeyOk {
 			enc.Field("service_account_key", func(e *jx.Encoder) {
-				e.Str(serviceAccountKey)
+				serviceAccountKey.Encode(e)
 			})
 		}
 	})
 }
+
+func (c BigQuerySourceCredentialsServiceAccountKey) Encode(enc *jx.Encoder) {
+	enc.Obj(func(enc *jx.Encoder) {
+		enc.Field("project_id", func(e *jx.Encoder) {
+			e.Str(c.ProjectID.ValueString())
+		})
+
+		enc.Field("private_key_id", func(e *jx.Encoder) {
+			e.Str(c.PrivateKeyID.ValueString())
+		})
+
+		enc.Field("private_key", func(e *jx.Encoder) {
+			e.Str(c.PrivateKey.ValueString())
+		})
+
+		enc.Field("client_email", func(e *jx.Encoder) {
+			e.Str(c.ClientEmail.ValueString())
+		})
+
+		enc.Field("client_id", func(e *jx.Encoder) {
+			e.Str(c.ClientID.ValueString())
+		})
+	})
+}
diff --git a/internal/provider/big_query_source_resource.go b/internal/provider/big_query_source_resource.go
@@ -66,19 +66,38 @@ func (r *bigQuerySourceResource) MoveState(ctx context.Context) []resource.State
 						return
 					}
 
+					type sourceCredentialsServiceAccountKeyModel struct {
+						ProjectID    *string `json:"project_id"`
+						PrivateKeyID *string `json:"private_key_id"`
+						PrivateKey   *string `json:"private_key"`
+						ClientEmail  *string `json:"client_email"`
+						ClientID     *string `json:"client_id"`
+					}
+
 					type sourceCredentialsModel struct {
-						ProjectID         *string `json:"project_id"`
-						Location          *string `json:"location"`
-						ServiceAccountKey *string `json:"service_account_key"`
+						ProjectID         *string                                  `json:"project_id"`
+						Location          *string                                  `json:"location"`
+						ServiceAccountKey *sourceCredentialsServiceAccountKeyModel `json:"service_account_key"`
 					}
 
 					sourceCredentials := sourceCredentialsModel{}
 					resp.Diagnostics.Append(sourceModel.Credentials.Unmarshal(&sourceCredentials)...)
 
 					bigQuerySourceCredentials := BigQuerySourceCredentials{
-						ProjectID:         types.StringPointerValue(sourceCredentials.ProjectID),
-						Location:          types.StringPointerValue(sourceCredentials.Location),
-						ServiceAccountKey: types.StringPointerValue(sourceCredentials.ServiceAccountKey),
+						ProjectID: types.StringPointerValue(sourceCredentials.ProjectID),
+						Location:  types.StringPointerValue(sourceCredentials.Location),
+					}
+
+					if sourceCredentials.ServiceAccountKey != nil {
+						serviceAccountKey := NewTypedObject(BigQuerySourceCredentialsServiceAccountKey{
+							ProjectID:    types.StringPointerValue(sourceCredentials.ServiceAccountKey.ProjectID),
+							PrivateKeyID: types.StringPointerValue(sourceCredentials.ServiceAccountKey.PrivateKeyID),
+							PrivateKey:   types.StringPointerValue(sourceCredentials.ServiceAccountKey.PrivateKey),
+							ClientEmail:  types.StringPointerValue(sourceCredentials.ServiceAccountKey.ClientEmail),
+							ClientID:     types.StringPointerValue(sourceCredentials.ServiceAccountKey.ClientID),
+						})
+
+						bigQuerySourceCredentials.ServiceAccountKey = serviceAccountKey
 					}
 
 					type sourceConnectionDetailsModel struct {
diff --git a/internal/provider/big_query_source_resource_schema.go b/internal/provider/big_query_source_resource_schema.go
@@ -40,17 +40,39 @@ func BigQuerySourceCredentialsResourceSchema(ctx context.Context) schema.Attribu
 	}
 }
 
-func BigQuerySourceCredentialsResourceSchemaAttributes(_ context.Context) map[string]schema.Attribute {
+func BigQuerySourceCredentialsResourceSchemaAttributes(ctx context.Context) map[string]schema.Attribute {
 	return map[string]schema.Attribute{
 		"project_id": schema.StringAttribute{
 			Required: true,
 		},
 		"location": schema.StringAttribute{
 			Required: true,
 		},
-		"service_account_key": schema.StringAttribute{
-			Optional:  true,
+		"service_account_key": schema.SingleNestedAttribute{
+			Optional:   true,
+			Attributes: BigQuerySourceCredentialsServiceAccountKeyResourceSchemaAttributes(ctx),
+			CustomType: NewTypedObjectNull[BigQuerySourceCredentialsServiceAccountKey]().CustomType(ctx),
+		},
+	}
+}
+
+func BigQuerySourceCredentialsServiceAccountKeyResourceSchemaAttributes(_ context.Context) map[string]schema.Attribute {
+	return map[string]schema.Attribute{
+		"project_id": schema.StringAttribute{
+			Required: true,
+		},
+		"private_key_id": schema.StringAttribute{
+			Required: true,
+		},
+		"private_key": schema.StringAttribute{
 			Sensitive: true,
+			Required:  true,
+		},
+		"client_email": schema.StringAttribute{
+			Required: true,
+		},
+		"client_id": schema.StringAttribute{
+			Required: true,
 		},
 	}
 }
diff --git a/internal/provider/big_query_source_resource_test.go b/internal/provider/big_query_source_resource_test.go
@@ -102,7 +102,7 @@ func TestAccBigQuerySourceResourceCreateUpdateDelete(t *testing.T) {
 				ConfigDirectory: config.TestNameDirectory(),
 				ConfigVariables: config.Variables{
 					"source_label": config.StringVariable("Test Source"),
-					"source_credentials": config.MapVariable(map[string]config.Variable{
+					"source_credentials": config.ObjectVariable(map[string]config.Variable{
 						"project_id": config.StringVariable("project-id"),
 						"location":   config.StringVariable("US"),
 					}),
@@ -125,9 +125,16 @@ func TestAccBigQuerySourceResourceCreateUpdateDelete(t *testing.T) {
 				ConfigDirectory: config.TestNameDirectory(),
 				ConfigVariables: config.Variables{
 					"source_label": config.StringVariable("Test Source (updated)"),
-					"source_credentials": config.MapVariable(map[string]config.Variable{
+					"source_credentials": config.ObjectVariable(map[string]config.Variable{
 						"project_id": config.StringVariable("project-id"),
 						"location":   config.StringVariable("US"),
+						"service_account_key": config.ObjectVariable(map[string]config.Variable{
+							"project_id":     config.StringVariable("project-id"),
+							"private_key_id": config.StringVariable("private-key-id"),
+							"private_key":    config.StringVariable("private-key"),
+							"client_id":      config.StringVariable("client-id"),
+							"client_email":   config.StringVariable("client-email"),
+						}),
 					}),
 				},
 				ConfigPlanChecks: resource.ConfigPlanChecks{
@@ -197,3 +204,65 @@ func TestAccBigQuerySourceResourceMovedFromSource(t *testing.T) {
 		},
 	})
 }
+
+//nolint:paralleltest
+func TestAccBigQuerySourceResourceMovedFromSourceWithServiceAccountKey(t *testing.T) {
+	server, err := cmt.NewCensusManagementServer()
+	require.NoError(t, err)
+
+	configVariables := config.Variables{
+		"source_label": config.StringVariable("Test Source"),
+		"source_credentials": config.ObjectVariable(map[string]config.Variable{
+			"project_id": config.StringVariable("project-id"),
+			"location":   config.StringVariable("US"),
+			"service_account_key": config.ObjectVariable(map[string]config.Variable{
+				"project_id":     config.StringVariable("project-id"),
+				"private_key_id": config.StringVariable("private-key-id"),
+				"private_key":    config.StringVariable("private-key"),
+				"client_id":      config.StringVariable("client-id"),
+				"client_email":   config.StringVariable("client-email"),
+			}),
+		}),
+	}
+
+	ProviderMockedResourceTest(t, server, resource.TestCase{
+		Steps: []resource.TestStep{
+			{
+				ConfigDirectory: config.TestStepDirectory(),
+				ConfigVariables: configVariables,
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction("censusworkspace_source.test", plancheck.ResourceActionCreate),
+						plancheck.ExpectUnknownValue("censusworkspace_source.test", tfjsonpath.New("id")),
+						plancheck.ExpectKnownValue("censusworkspace_source.test", tfjsonpath.New("label"), knownvalue.StringExact("Test Source")),
+					},
+					PostApplyPostRefresh: []plancheck.PlanCheck{
+						plancheck.ExpectKnownValue("censusworkspace_source.test", tfjsonpath.New("last_test_succeeded"), knownvalue.Null()),
+					},
+				},
+			},
+			{
+				ConfigDirectory: config.TestStepDirectory(),
+				ConfigVariables: configVariables,
+
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectEmptyPlan(),
+						plancheck.ExpectResourceAction("censusworkspace_big_query_source.test", plancheck.ResourceActionNoop),
+						plancheck.ExpectKnownValue("censusworkspace_big_query_source.test", tfjsonpath.New("id"), knownvalue.NotNull()),
+						plancheck.ExpectKnownValue("censusworkspace_big_query_source.test", tfjsonpath.New("label"), knownvalue.StringExact("Test Source")),
+						plancheck.ExpectKnownValue("censusworkspace_big_query_source.test", tfjsonpath.New("name"), knownvalue.NotNull()),
+						plancheck.ExpectKnownValue("censusworkspace_big_query_source.test", tfjsonpath.New("credentials").AtMapKey("project_id"), knownvalue.StringExact("project-id")),
+						plancheck.ExpectKnownValue("censusworkspace_big_query_source.test", tfjsonpath.New("credentials").AtMapKey("location"), knownvalue.StringExact("US")),
+						plancheck.ExpectKnownValue("censusworkspace_big_query_source.test", tfjsonpath.New("credentials").AtMapKey("service_account_key").AtMapKey("private_key_id"), knownvalue.StringExact("private-key-id")),
+						plancheck.ExpectKnownValue("censusworkspace_big_query_source.test", tfjsonpath.New("credentials").AtMapKey("service_account_key").AtMapKey("client_email"), knownvalue.StringExact("client-email")),
+						plancheck.ExpectKnownValue("censusworkspace_big_query_source.test", tfjsonpath.New("connection_details"), knownvalue.NotNull()),
+					},
+					PostApplyPostRefresh: []plancheck.PlanCheck{
+						plancheck.ExpectKnownValue("censusworkspace_big_query_source.test", tfjsonpath.New("last_test_succeeded"), knownvalue.Null()),
+					},
+				},
+			},
+		},
+	})
+}
diff --git a/internal/provider/testdata/TestAccBigQuerySourceResourceMovedFromSourceWithServiceAccountKey/1/main.tf b/internal/provider/testdata/TestAccBigQuerySourceResourceMovedFromSourceWithServiceAccountKey/1/main.tf
@@ -0,0 +1,6 @@
+resource "censusworkspace_source" "test" {
+  type  = "big_query"
+  label = var.source_label
+
+  credentials = jsonencode(var.source_credentials)
+}
diff --git a/internal/provider/testdata/TestAccBigQuerySourceResourceMovedFromSourceWithServiceAccountKey/1/vars.tf b/internal/provider/testdata/TestAccBigQuerySourceResourceMovedFromSourceWithServiceAccountKey/1/vars.tf
@@ -0,0 +1,7 @@
+variable "source_label" {
+  type    = string
+  default = null
+}
+
+variable "source_credentials" {
+}
diff --git a/internal/provider/testdata/TestAccBigQuerySourceResourceMovedFromSourceWithServiceAccountKey/2/main.tf b/internal/provider/testdata/TestAccBigQuerySourceResourceMovedFromSourceWithServiceAccountKey/2/main.tf
@@ -0,0 +1,10 @@
+moved {
+  from = censusworkspace_source.test
+  to   = censusworkspace_big_query_source.test
+}
+
+resource "censusworkspace_big_query_source" "test" {
+  label = var.source_label
+
+  credentials = var.source_credentials
+}
diff --git a/internal/provider/testdata/TestAccBigQuerySourceResourceMovedFromSourceWithServiceAccountKey/2/vars.tf b/internal/provider/testdata/TestAccBigQuerySourceResourceMovedFromSourceWithServiceAccountKey/2/vars.tf
@@ -0,0 +1,7 @@
+variable "source_label" {
+  type    = string
+  default = null
+}
+
+variable "source_credentials" {
+}
